[HN Gopher] Find You: Building a stealth AirTag clone ___________________________________________________________________ Find You: Building a stealth AirTag clone Author : kerm1t Score : 141 points Date : 2022-02-21 16:01 UTC (6 hours ago) (HTM) web link (positive.security) (TXT) w3m dump (positive.security) | Friday_ wrote: | Why not build your own tracker that doesn't rely on Apple. You | only have to have GPS, LoRaWAN, MCU, battery, and antenna, That's | about it. | giaour wrote: | Can you get onto a lorawan network without some kind of service | contract? Seems like it would leave a paper trail for | investigators to follow, whereas the pirate AirTags described | in the article are anonymous commodity hardware using the | victim's Apple devices for connectivity. | Friday_ wrote: | I don't know. Maybe you get signal from tracker ( everyone | likewise ) and if somebody ask you if you are the owner of | it, you just play dumb. | mckirk wrote: | You also need a way to communicate back the tracking results, | which presumably implies a SIM card and thus more opportunity | to get detected (and linked back to you). But yes, in theory | you can (and always could) do that. | | The barrier to entry would be a lot higher though, as all | that's needed here is 'microcontroller with Bluetooth'. And | that really makes it dangerously easy. | cure wrote: | > You also need a way to communicate back the tracking | results, which presumably implies a SIM card and thus more | opportunity to get detected (and linked back to you). But | yes, in theory you can (and always could) do that. | | I think gp included the lorawan for that purpose. No SIM | required. | mckirk wrote: | Ah right, I had overlooked that, never having seen the word | "lorawan" before. | | I honestly have no idea how widespread LoRaWAN is, but I | would be very surprised if it came anywhere close to the | coverage you can achieve using Apple users carrying your | uplinks around unwittingly. (Especially if you are | attempting to track an Apple user.) | scoopertrooper wrote: | You'd also need a LoRaWAN network to hook into. | | But most importantly, I doubt you could build a LoRaWAN | tracker as compactly as an AirTag. A beacon would use | significantly less electricity and therefore require a | smaller battery. | | Below is one of the smallest LoRaWAN modems on the market, | which by itself is marginally bigger than an AirTag. Now | add batteries, GPS, antennas, and an SoC to drive the whole | thing. | | https://www.murata.com/en- | eu/news/connectivitymodule/lpwa/20... | Scoundreller wrote: | There are some groups building 'armageddon' mesh-based | hand-held communicators like Meshtastic. Converged | hardware is already there. The network probably is too in | more and more metros if you're not within a few km of | what you're trying to communicate with/track. | | https://meshtastic.org | | Map: https://canvis.app/meshtastic-map | Friday_ wrote: | This looks interesting, but device itself looks like it | wouldn't survive fall on the floor, let alone armageddon. | Just joking. | Scoundreller wrote: | The case is up to you. I plan on using a plastic food jar | :) | cure wrote: | There's also the helium network | (https://explorer.helium.com/) which has a surprising | amount of coverage, especially in urban areas. | rahimnathwani wrote: | Because: | | - using a cellular modem requires a high capacity battery | | - if you hide a tracker well, it probably won't have a good GPS | reception | | Apple's BLE-based network solves both of these problems. | Friday_ wrote: | Those are not problems that needed to be solved. | | Problem is: 1. Precise location of tracked object, now | | This is actually one problem and Apple didn't solve it very | well, airtag doesn't work in real-time. You only get updates | when there are people near object that uses iphone. | quenix wrote: | > You only get updates when there are people near object | that uses iphone. | | Ok? In practice, this is most of the time. In most | reasonable use cases (i.e. excluding the Sahara desert or | some remote mountain). | LeoPanthera wrote: | > using a cellular modem requires a high capacity battery | | The example third party AirTag clone described on the linked | page is powered by a full size USB power bank. | kayson wrote: | Because it's a proof of concept using an ESP32, not because | that battery capacity is fundamentally necessary for the | idea to work. | | It could easily be optimized for power and size. Sure, it | will have to use more power than a vanilla airtag, because | it's doing (slightly) more, but not enough to make a | significant difference. | kelnos wrote: | You or I could probably do that, but that's well beyond the | technical capabilities of your average would-be stalker. | mk_10000000 wrote: | Link to the repo: https://github.com/positive-security/find-you | mmastrac wrote: | Does this mean that Apple is failing to validate the capability | of things that purport to be AirTags? Or that the BLE protocol is | just not powerful enough to have Apple signatures on each | broadcast public key? | | If it's the latter, it might mean that the entire AirTag product | line is dead in the water. | smithza wrote: | Apple will probably say something to the effect of, "we didn't | have to put anti-stalking technology in, and it works well for | the 99% of use cases." The common stalker will not have the | technical skills to build their own custom-firmware version of | a BLE-enabled system. I don't think this revelation will kill | the product line. | deanc wrote: | I didn't fully grep the article, but assuming the src is | public and hardware is trivially built - I wouldn't put it | past someone packaging this up and selling it. It doesn't | need a huge number of people to be bad enough PR for Apple to | have to do something - much like 99.9999999% of people are | not using them for stalking but it's all that's talked about | in the media with these tags. | mmastrac wrote: | After reading more about this on the attached repo, I think | we're going to see some AliExpress clones popping up pretty | quick. AirTags appear to be pretty minimal tech - much less | complex than I had thought if you exclude the high-precision | location finder. | smithza wrote: | It is a difficult technical problem for Apple to solve all | of the corner-cases. The article shows the screenshot of | seemingly 100 unique FindMy devices around this guy's | personal residence... there may be some characterization | work that can help solve that so an iPhone user would get | the alert message. But Apple will continue to promote it | and dismiss or downplay these security concerns. | mox1 wrote: | The problem is easy to solve, just store copies of all | public keys of each air tag you send out. | | Air Tag messages with unknown public keys just get | dropped on their server side checks. | gruez wrote: | > The problem is easy to solve, just store copies of all | public keys of each air tag you send out. | | that kills the privacy aspect of it, because it also | means apple knows about the exact whereabouts of each | tag. airtags are specifically designed/marketed so apple | can't do that. | anchpop wrote: | A core selling point of Airtags is that other people's | iPhones help you find your AirTag. That's also what makes | them effective trackers. It's a bit of an unsolvable | problem. | mox1 wrote: | Yes, and Apple 100% has the capacity / ability to filter | out "fake" AirTags on their back-end. All they need to do | is setup a manufacturing process that captures the public | keys. | | So the phones will still relay the beacons to Apple, who | can then do things and just reject messages from these | fake tags. | | (I worked for a Medical Device Company that set all of | this up within our supply chain). | mmastrac wrote: | If they haven't been doing this so far, it seems like it | will be a tough job to record them after the fact. | Perhaps they could interrogate each device and require it | to be re-adopted, then record the data at that point but | it seems like an arms race they won't win. | gumby wrote: | They are just getting started. They could add this to | their production -- the old ones would quickly become a | tiny percentage | gumby wrote: | > The common stalker will not have the technical skills to | build their own custom-firmware version of a BLE-enabled | system. | | The state or corporate actor will have those skills. | | The common stalker will simply buy them online. | IshKebab wrote: | Yeah I don't understand this. Surely airtags have to be | registered, and when an iPhone sees tag 3957375967 Apple's | servers look that up and say "oh it's registered to Billy Bob; | I'll tell them". | | But if your fake airtag rotates through 2000 IDs how do you | register them all? | xt00 wrote: | Seems like the end-game for this is to change things around | like this: | | 1. you can't track items outside of some distance from you in | real-time | | 2. items marked as lost would need to be sent to a review | team inside apple (contractors I imagine) that would then log | your information, require you to explain what the item is, | and generally make it very cumbersome to get the actual | location or history of the location | | 3. then very likely a neutral 3rd party would have to go to | the location to determine if the claim seems to be | legitimate, or this is a case of somebody stalking somebody | else or something | | 4. likely would require police getting involved somehow | | The idea that people can be vigilante's and track down their | own stolen bike is a great idea, but it basically equates to | "stalking somebody".. any work-arounds for android users and | iphone users will either only work in certain circumstances | (what if you only live 1 mile away from the bars downtown -- | then now the stalker knows where you live and the device was | with you a super short period of time -- maybe 2-5 mins | depending upon method of travel)... the only way around this | is to block people from being able to get the raw information | -- sure the data might be collected, but giving it directly | to the customer is both the best and worst thing about this. | UncleEntity wrote: | Apple apparently stores every reported location in a database | and allows people to query whether a certain public key was | received with or without the key being registered to a | specific user since they change on a regular basis so one | can't track a specific device. | stefan_ wrote: | The mental model I had is that AirTags are manufactured with a | private/public key pair burned into them that allows Apple to | validate the thing you are linking to your account on initial | setup is really a legit AirTag. | | It appears none of that was ever true and you can register just | anything as an AirTag that speaks the right BLE with no secrets | required for a world full of iPhones to start tracking them. | | So yeah, expect chinese clones to show up within a month, for | five dollars each and certainly no speaker included. | a-dub wrote: | silly question here: modern smartphones rotate their mac | addresses frequently for privacy, but aren't the bluetooth | addresses on phones and headphones and all the rest static and | easily detected? | air7 wrote: | It seems to me that this attack leaves a very easy to detect | signature of several tags that were seen only once by the same | device. To counter being detected, an attacker would need to fake | other readings of the same single-use "tags" by other devices. | This is somewhat similar to the detecting fake spam accounts in | social networks. It's a cat-and-mouse game, but it seems that in | this case the cat has the upper hand unless the mice are willing | to put in a lot of effort to fake "realness", which might make | the attack not feasible. | noja wrote: | Other trackers don't tell you they are tracking you though, what | about those. | giaour wrote: | You can purchase pre-made GPS+cellular trackers, but it seems | like it would be much easier to tie a detected tracker of this | type back to a specific person. A tracker with cellular | capability will have a SIM and some kind of subpoena-able | service record, while one of the pirate AirTags described in | the post is basically just an antenna and a battery. | gruez wrote: | >A tracker with cellular capability will have a SIM and some | kind of subpoena-able service record | | Prepaid sim. US (and many other countries) does not have | mandatory registration for SIM cards. See: | https://www.gsma.com/publicpolicy/wp- | content/uploads/2013/11... | CharlesW wrote: | I understand your point and it's completely valid, but I think | the difference is that Apple is mainstreaming personal tracking | in a way that other companies could only dream of, and in doing | so is also mainstreaming awareness of how technologies like | this might be abused. Because of this, Apple has painted a | giant target on their back even though they're arguably | handling privacy issues better than anyone else in this space. | | On the bright side, the end result of this is that AirTags will | be safer for everyone, and competitors with tracking products | not designed for secret spying will be forced to step up their | privacy games. | Scoundreller wrote: | I think what Apple is really mainstreaming is the mass-use of | their devices as a low-bitrate, irregular sneakernet. This | should replace lots of IoT stuff. | | It's kinda dumb that our cabin has a 'smart' meter on a | meshnetwork, but there's no way for me to remotely turn-on a | heater 4h before I arrive without a $10+/month subscription. | | Maybe one day I can offline order a book and it just shows up | because the on-line devices nearby (or are likely to show up | nearby) can drop it off wirelessly. | | A traffic light won't be needing its own internet | subscription or private physical network to beam up a picture | of the intersection or status. | tiarafawn wrote: | If they need to rely on their own GPS and internet uplink | rather than just bluetooth, they would be much more expensive | Crosseye_Jack wrote: | But not that much more even in small quantities. | | If you exclude the time to dev the software, design the PCB, | and assemble the tracker then you can knock up a NB-IOT | module + GPS module + Microcontroller & supporting parts (to | tie the two modules together) for about $30-$35 in small | quantities, keep your data usage low and you can throw in a | pre-paid IOT-NB sim for about $15. | | EDIT: Its not gonna be as small as a AirTag, But if you | wanted to tag something like a car you could get it into a | small enough box to easily hide under it. | | EDIT The 2nd: Throw in a movement detector, keep everything | asleep unless its moved, before firing up the GPS/modem write | your code so not to power up the GPS/Modem up unless a | certain time as passed since the last known location fix, | when you do fire up the GPS compare the location to the last | known location so you only need to phone home if the distance | as changed by a certain amount and you could get a decent | battery life. | | (not that I've thought about this...) | kelnos wrote: | Sure, but I hope it's easy to understand that it's orders | of magnitude easier to just buy an AirTag (including | "silenced" ones from eBay or wherever) and drop it in | someones purse or coat pocket, or attach it to their car. | | Pretty much no regular stalker is going to design and build | their own GPS+cellular tracker. Even if someone were to do | that and then sell them online, the barrier to finding and | buying those are still probably going to be higher than | getting an AirTag. And the battery won't last anywhere near | as long as well. And also consider that the software | running on it, as well as the cloud service that lets you | check the location, doesn't just magically appear either. | Someone has to build and host that as well. Even a lower- | tech solution that just emails a location report every few | minutes still requires work to build. | | Yes, it's absolutely possible, and not super difficult, to | track someone using a GPS+cellular device. But it feels | really disingenuous to claim that tracking people was just | as easy to do for your average stalker pre-AirTags. | Shank wrote: | > Even if someone were to do that and then sell them | online, the barrier to finding and buying those are still | probably going to be higher than getting an AirTag. | | They're on Amazon, for $50-150 [0]. The first result for | "GPS tracker" I found has 10 days of battery life, which | is a fair negative, but you can do a lot to someone if | you follow them for 10 days. | | [0]: https://smile.amazon.com/LandAirSea-Waterproof- | Magnetic-Pers... | Crosseye_Jack wrote: | > Sure, but I hope it's easy to understand that it's | orders of magnitude easier to just buy an AirTag | | Oh yeah, Was just pointing out that the pricing of such | things is dropping like flies. | | > Pretty much no regular stalker is going to design and | build their own GPS+cellular tracker. | | Agreed, again was just pointing out the pricing of parts. | | > Yes, it's absolutely possible, and not super difficult, | to track someone using a GPS+cellular device. But it | feels really disingenuous to claim that tracking people | was just as easy to do for your average stalker pre- | AirTags. | | I don't think I did claim that. I wasn't trying to claim | that. Maybe thats just the limitation of using text. | eyeeyesawayyy wrote: | Airtags are unique in that they use every iphone in the world | as part of the network which tracks them and reports their | locations. | | So, unlike GPS trackers or competing Bluetooth trackers, | AirTags can do two things: | | * Last for a very long time on a small battery, no recharging | required. | | * Reliably report location anywhere in the world that an | ordinary person is likely to be. | moffkalast wrote: | I've always been sceptical of this working well enough to be | usable. Does the average iphone owner leave their bluetooth, | gps, and mobile network on 24/7? Sounds like an awful waste | of power. What about in the rest of the world outside the US, | Canada and Australia where Android is the market leader and | iphones are rather rare? | | What happens inside buildings when the phone doesn't have a | fix? Does it store the tag's key and sends it as soon as it | gets gps data? | stefan_ wrote: | _AirTags exist and they work perfectly fine in all these | conditions._ We would need to turn the clock back a few | years for this comment to make sense, in an universe where | AirTags didn 't yet exist. | | Your phone takes it's last position from GPS, refines it | with RSSI of nearby WiFi networks and then you add in the | broadband stuff they have to localize the tag further. | jaywalk wrote: | > Does the average iphone owner leave their bluetooth, gps, | and mobile network on 24/7? | | Absolutely, yes. | | > What happens inside buildings when the phone doesn't have | a fix? | | Have you never used your phone inside a building before? It | still has a very good idea of your location, it doesn't | rely solely on GPS signals. | gorbypark wrote: | I've just moved to Spain, from Canada, and was wondering | the same. A quick google search shows iPhone has less than | 12% market share here. I did a little test in Valencia | about a week ago by just walking around with my AirTag on | my keys in "lost mode" and they got picked up very | frequently. I was pretty happy with the results, I don't | think approximately only one in ten people on the streets | having an iPhone would have much effect on the usefulness. | [deleted] | planb wrote: | > Does the average iphone owner leave their bluetooth, gps, | and mobile network on 24/7? | | Yes of course. That's how these phones are supposed to | work. I don't have time to micromanage my devices. As long | as I get a day of usage, why would I bother? | jimjambw wrote: | Why wouldn't you leave those things on? Apple designed iOS | for those things to be handled and turned on when needed. | BLE is quite low in power, GPS is only on when location | services need it. These are concerns I would have had about | 10-15 years ago, but I don't now. | jedberg wrote: | AirTag is a difficult problem to solve -- the usefulness of the | product for "good" uses is directly related to how easy the "bad" | uses are. Eventually it will be limited to the point where you | can only track items that your phone can detect, and that won't | be super helpful. | | Sure you can use it to find your lost keys in your own house and | maybe have it warn you when you've been separated from your | AirTag, but that's about it. | [deleted] ___________________________________________________________________ (page generated 2022-02-21 23:00 UTC)